Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29715
HistoryAug 20, 2013 - 12:00 a.m.

Update: Linksys EA2700, EA3500, E4200v2, EA4500 Unspecified unauthenticated remote access

2013-08-2000:00:00
vulners.com
166
JSON

Vulnerabilities:
An unspecified bug can cause an unsafe/undocumented TCP port to open
allowing for:

  • Unauthenticated remote access to all pages of the router
    administration GUI, bypassing any credential prompts under certain
    common configurations

  • Direct access to several critical system files

CVE-ID 2013-5122
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS Base Score 10
CVSS Temporal Score 8.1
Exploitability Subscore: 10.0

Affected models and firmware:
Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14
Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30
Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36
Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37
Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36
Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37
-Web Server Lighttpd 1.4.28
-Running - Linux 2.6.22

Vulnerability Conditions seen in all variations, though not limited too:

  • Classic GUI has been enabled/installed
  • Remote Management - Disabled
  • UPnP - Enabled
  • IPv4 SPI Firewall Protection - Disabled

Fixes and workarounds:

*** It is strongly advised to those that have the classic GUI firmware
installed to do a full WAN side scan for unusual ports that are open
that weren't specifically opened by the end user.

It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and
EA4500, though it is uncertain if this resolves the problem in all
cases.
It is recommend to upgrade to firmware 1.1.39 on the EA2700 and
EA3500.though it is uncertain if this resolves the problem in all
cases.

Vendor: We have been working with Linksys/Belkin Engineers on this
problem, and they are still investigating the root cause. We hope to
have additional information on this bug soon.

External Links Misc:
http://www.osvdb.org/show/osvdb/94768
http://www.securityfocus.com/archive/1/527027
http://securityvulns.com/news/Linksys/EA/1307.html
http://www.scip.ch/en/?vuldb.9326
http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/

Vendor product links:
http://support.linksys.com/en-us/support/routers/EA2700
http://support.linksys.com/en-us/support/routers/EA3500
http://support.linksys.com/en-us/support/routers/E4200
http://support.linksys.com/en-us/support/routers/EA4500

Discovered - 07-01-2013
Updated - 08-15-2013
Research Contact - K Lovett, M Claunch
Affiliation - SUSnet

JSON